EUVD-2026-37818

BBOT: Arbitrary File Write in postmandownload Module...

CVE-2026-12568

The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...

CVE-2026-12568 Arbitrary File Write in postman_download module

The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...

CVE-2026-12568

The CVE-2026-12568 entry affects the postman_download module. The root cause is unsanitized use of the workspace name field from the Postman API to build the local output directory path; if the workspace name contains path traversal characters, pathlib resolves outside the intended directory, ena...

PT-2026-50563

Name of the Vulnerable Software and Affected Versions Postman Download Module affected versions not specified Description The postman download module fails to sanitize the workspace name field retrieved from the Postman API when constructing local directory paths. A malicious workspace name...

org.webjars.npm:file-entry-cache (>=5.0.1 <=6.0.1), org.webjars.npm:flat-cache (>=2.0.1 <=3.0.4) +6 more potentially affected by CVE-2026-33228 via org.webjars.npm:flatted (>=2.0.1 <=3.3.4)

org.webjars.npm:flatted MAVEN version =2.0.1, =5.0.1, =2.0.1, =3.3.1, =0.3.16, =0.2.107, =1.1.13, =0.1.30, =1.7.6, =2.0.2 Source cves: CVE-2026-33228 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15700434...

org.webjars.npm:file-entry-cache (>=5.0.1 <=6.0.1), org.webjars.npm:flat-cache (>=2.0.1 <=3.0.4) +6 more potentially affected by CVE-2026-32141 via org.webjars.npm:flatted (>=2.0.1 <=3.3.4)

org.webjars.npm:flatted MAVEN version =2.0.1, =5.0.1, =2.0.1, =3.3.1, =0.3.16, =0.2.107, =1.1.13, =0.1.30, =1.7.6, =2.0.2 Source cves: CVE-2026-32141 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15518042...

CVE-2026-28408

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionartipodocsatendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like...

CVE-2017-18603

The postman-smtp plugin through 2017-10-04 for WordPress has XSS via the wp-admin/tools.php?page=postmanemaillog page parameter...

CVE-2025-15095

CVE-2025-15095 affects postmanlabs httpbin up to 0.6.1. The flaw is in httpbin-master/httpbin/core.py, enabling cross-site scripting via manipulated input. Exploitation is remote and publicly disclosed. Multiple sources confirm the vulnerability, but remediation notes vary and, in at least one en...

httpbin 代码注入漏洞

httpbin is an open source HTTP request and response service from Postman Inc. A code injection vulnerability exists in httpbin version 0.6.1 and earlier, which stems from a flaw in the file httpbin-master/httpbin/core.py and could lead to a cross-site scripting attack...

EUVD-2025-198918

Malicious code in @postman/postman-collection-fork npm...

Malicious code in @postman/pm-bin-windows-x64 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02ae17f856e11e19fc956689bbc3e88c8de0052e0ea1017d2048d92f20bfa91b The package @postman/pm-bin-windows-x64 was found to contain malicious code. Source: google-open-source-security...

EUVD-2025-198917

Malicious code in @postman/postman-mcp-cli npm...

Malicious code in @postman/postman-mcp-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10b1da432f0b6ecaccc97520bb9697e6dbf44b04415bd15e6ac9864c86f3b37e The package @postman/postman-mcp-cli was found to contain malicious code. Source: google-open-source-security...

Malicious code in @postman/wdio-allure-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e12dee0f26482378a3726898a1190f71749f0cca809d0d6dc3d9c3419473924f The package @postman/wdio-allure-reporter was found to contain malicious code. Source: google-open-source-security...

EUVD-2025-198923

Malicious code in @postman/mcp-ui-client npm...

EUVD-2025-198913

Malicious code in @postman/wdio-allure-reporter npm...

Malicious code in @postman/pm-bin-linux-x64 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 94045a09bfa0905195be4f028d9e42bcf608154a645b14b2028754dc6e787b80 The package @postman/pm-bin-linux-x64 was found to contain malicious code. Source: google-open-source-security...

Malicious code in @postman/final-node-keytar (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e6889dec45dcb0e7040af5e5dc6db68b8771b9effdbcea77d115d9e21a430971 The package @postman/final-node-keytar was found to contain malicious code. Source: ghsa-malware...